[tor-talk] TBB update mechanism

Georg Koppen gk at torproject.org
Mon Mar 2 07:58:58 UTC 2020


Hans Vader:
> Dear TOR people,
> 
> I have a question regarding the updating mechanism of tor browser from
> within the browser.
> These updates are signed I stronly suppose. I would like to know, does
> checking these signatures depend on external programs like gpg? Is the
> signature verification application for updates part of the browser
> bundle itself?

For updates we essentially use the Firefox updater and, yes, we are
signing the update files.

Firefox and thus Tor Browser comes with its own means to check the
signature[1], there is no external tool required. For more information
about the Firefox update process and the .mar files, which are the
update files the Tor Browser build process produces, see the Mozilla
wiki[2] as a starting point.

Georg

[1] https://wiki.mozilla.org/Software_Update:MAR_Signing_and_Verification
[2] https://wiki.mozilla.org/Software_Update

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20200302/ceeb45e3/attachment.sig>


More information about the tor-talk mailing list